Cross-Site Request Forgery (CSRF) in microweber/microweber


Reported on

Jul 30th 2021

✍️ Description

Attacker able to delete any user if knows the user id parameter value.

🕵️‍♂️ Proof of Concept

Here after running PoC.html on Firefox or Safari and click on submit button (also can be auto-submit) you will see that the user with id 3 has been deleted.


<script>history.pushState('', '', '/')</script>
<form action="" method="POST">
<input type="hidden" name="id" value="3" />
<input type="submit" value="Submit request" />

💥 Impact

Here a user with id value 3 will be deleted after clicking on submit button. 📍 Location app.js#L1

We have contacted a member of the microweber team and are waiting to hear back 2 years ago
2 years ago


Hey microweber team , can you give some feedbacks to me? thanks so much.

Peter Ivanov has invalidated this vulnerability 2 years ago

You need to be logged as admin to make this action

The disclosure bounty has been dropped
The fix bounty has been dropped
2 years ago


Yah the main action of any CSRF attack is that users must be logged in before, excuse me for my bad explanation but this is CSRF and already assigned a CWE to it.

2 years ago


You can set Strict value on SameSite attribute of just one of your cookies and then anybody won't able to perform any CSRF attacks.

Peter Ivanov
2 years ago

Hello Thanks for info

Yes you are correct some 3rd party domain can trick you

This makes a valid issue and we will look how to fix it

Will update you soon

2 years ago


aaahhh thank you sir i was doubting to my experience :))

can you just look at some other reports and validate them too ( they will be hidden until you make a fix for them)

2 years ago


@admin can you change the status of this report like before?

Jamie Slome
2 years ago


@amammad @peter - I have updated the status of this report to pending. Feel free to mark as valid if you see fit.

Peter Ivanov validated this vulnerability 2 years ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov marked this as fixed in 1.2.11 with commit 2fa9a6 a year ago
Peter Ivanov has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation